Like everybody else operating in the online space, we are well on our way to making changes to accommodate the new General Data Protection Regulation (GDPR) legislation. GDPR is all about protecting the data and rights of the individual and I believe it will make our industry better and safer, as Guy Hanson points out in a recent post it might actually improve email engagement.
Our adoption is driving both short term and long term changes in the way that Return Path is operating and thinking about the business of improving email deliverability.
Privacy & Security: The Privacy & Security teams have been at the center of the activities to identify gaps between our existing position with respect to Privacy Shield certification, and our information security standard ISO 27001 with the new GDPR standards. They have also been instrumental in helping other internal teams to understand what it will take to close those gaps.
After May 25th, 2018 they will be the center of excellence that monitors the impact of GDPR across our industry and a resource for our Product and Data Science teams going forward.
Product Development: Our product teams have been working within a framework of Privacy by Design for the last five years as part of our Privacy Shield and before that Safe Harbour compliance. GDPR does bring some revisions of that framework covering the introduction of the “right to data portability”, and updates to the “right for access” and infamously the “right to be forgotten”. The “right to be forgotten” has attracted the most interest, both internally and external to Return Path, because it is the least well understood by all in the industry, being so new.
Our understanding is that data subjects have the right to require an organization that holds their personal data to delete it, where the retention of that data is not compliant with the requirements of GDPR. Therefore as long as your retention and processing policies are GDPR compliant as ours are, or you have a legitimate interest in the data, then you should not be significantly affected by the expanded definition of the “right to be forgotten”.
Return Path’s past compliance with the E.U. Data Protection Directive (officially Directive 95/46/EC) for our current core products has meant that the changes required to meet GDPR compliance have been minimal. The biggest change has been to incorporate even more detail into our hyper-transparent Privacy Policy and in creating more detailed just-in-time notices. These notices appear on the individual’s screen at the point where they are entering personal data, providing a brief message explaining how the information they are about to provide will be used.
One of the few changes we are making to the core products is in service to our clients to help them to be GDPR compliant by anonymizing the persistence of IP address data from our tracking pixel solution. We also have created processes to delete or de-associate PII data.
Our Consumer products (Unsubscriber, Organizer, Notifier for Outlook and Whisker Widget) have required no changes outside of the updated Privacy Policy.
GDPR Article 7(4) “Conditions for Consent” and the draft guidelines of the Article 29 Working Party (WP29) now states “that consent to unnecessary uses of personal data cannot be used as a quid pro quo for access to a service”, thereby invalidating the prevalent business model of providing free services (such as a free app) in exchange for access to personal data. The good news for Return Path is that all of our Consumer products have always allowed individual users to opt out of data processing while still providing the service. We offer the same easy opt out of data sharing to the developer community using Context.IO to support their GDPR compliance efforts.
Where GDPR is having a greater than expected impact is in how it is shaping our thinking around future products. As we explore how to use our ever expanding data science capabilities, GDPR is now a significant consideration. It’s moving privacy by design into the brainstorming phase of product ideation, fueling more creativity, which is a great unexpected benefit.
Corporate: Our legal team has also been busy adding language warranting that our customers have all necessary consent required to use the Return Path services. We’ve been adding Standard Contractual Clauses or Model Clauses to EU deals as they been closed or have been renewed to cover the transfer data to Amazon Web Services (AWS) in the U.S. We’ve also done a lot of work to ensure that vendors that we use are also GDPR compliant.
Although limited to the European Union we anticipate that GDPR or GDPR like legislation is likely to be adopted across more geographic regions such as the Asia and Pacific (APAC) region in the coming years. So getting your infrastructure, operations, and product teams to embrace these changes now is a great investment for the future.
In the short term, I hear a lot of grumbling from my peers in the industry about GDPR taking away effort from new feature work, or introducing new cost to their businesses. While this may well be true, we need to remember that GDPR is an evolution of existing Privacy standards and will I believe go some way to restoring user’s trust in a world of data breaches and unauthorized data sharing. From our perspective it is well worth the investment.